The smaller the better? Risk management systems in SpareBank 1 Nord-Norge.
Date: 22.05.17 Total number of pages: 123 Course code: BE304E
Candidate name: Silje Katrine Eivik Lorentzen
Sammendrag
Jeg ønsket å studere risikostyring i min masteroppgave, og mer spesifikt hvordan systemene blir utviklet og implementert i en bank. Grunnen til at jeg ønsket å studere dette er at det er et veldig interessant område hvor det har skjedd mye endringer de siste årene, og det er også noe usikkerhet rundt fremtiden. I tillegg har de fleste tidligere studiene på dette temaet blitt gjort på større, internasjonal banker, og jeg ønsket derfor å studere en mindre bank for å se om det er mange forskjeller på hvordan de jobber. Basert på dette er mitt forskningsspørsmål:
”Hvordan blir risikostyringssystemene utviklet og implementert i SpareBank 1 Nord- Norge?”
ERM rammeverket blir anbefalt for banker i mange av de tidligere studiene på området, og jeg har derfor i hovedsak basert mine teoretisk referanser på denne teorien. SpareBank 1 Nord-Norge viste seg derimot å ikke bruke dette rammeverket, selv om jeg fant noen likheter.
Når det kommer til utviklingen og implementeringen av risikosystemene, så blir utviklingen for det mest gjort innen SpareBank 1 alliansen, og de som jobber på hovedkontoret er ikke noe særlig med på denne prosessen. For utviklingen av bankens policy så blir dette arbeidet utført hos de individuelle bankene, og har ingenting å gjøre med alliansen. Når systemene og policyen skal bli implementert så blir dette gjort i bankene, and personer fra hovedkontoret reiser rundt til rådgiverne og presenterer systemet og hvordan dette skal bli brukt, og rådgiverne kan stille spørsmål og få støtte fra hovedkontorer. Implementeringen er derfor en veldig interaktiv prosess.
Preface
During the previous semesters of my master education I have gained an interest for understanding how changing and uncertain environments affects the systems and models we find within management control. I also had a desire to study a bank for my thesis, as I find this industry interesting an relevant. Combining these two things, risk management popped out as an area where a lot of changes have been happening and there is also some uncertainty about the future, and I therefore chose this as my topic for the thesis.
SpareBank 1 Nord-Norge is a smaller, regional bank, that stands out compared to the banks in the earlier studies done on this topic, and I am very grateful that I could gain contact with them, and that they wanted to be a part of my master thesis. Everyone I met at their main office in Tromsø was very welcoming to me, and the interviews was very interesting. The interviewees were very open to talking to my, and I am grateful for them sharing all their experiences. These interviews helped me a lot, and they inspired me when I moved forward with my thesis, so I want to send a big thank you to everyone at the risk department of SpareBank 1 Nord-Norge
I also want to thank my supervisor, Elena Dybtsyna, for all her great feedback on my thesis. Her comments really help me to move forward and make this thesis the best it could be.
Silje Katrine Eivik Lorentzen
Abstract
For this thesis, I wanted to study risk management, and how the systems are developed and implemented in a bank. The reason I wanted to study risk management is that it is an interesting field where a lot of changes have happened over the later years, and there is some uncertainty in the future. In addition, most of the previous studies on the topic I could find is of larger and international banks, so I therefore wanted to study a smaller bank to see if there is a lot of differences. Based on this, my research question is:
“How are the risk management systems developed and implemented in SpareBank 1 Nord-Norge?”.
The ERM framework were recommended for banks in many of the previous studies, and I therefore mainly based my frame of reference on this theory. SpareBank 1 Nord-Norge however does not use this framework, even though I found some similarities.
When it comes to the development and implementation of the risk systems, the development of this is mainly done within the SpareBank 1 alliance, and the people working at the main office is not a big part of this process. For the development of the policies, this is done at the individual banks, and has nothing to do with the alliance. When the systems and policies are going to be implemented, this is done at the banks, and people from the main office travel around to the consultants to present the system and how it is going to be used, and the consultants can ask questions and seek support. The implementation is therefore a very interactive process.
Index
Sammendrag ... i
Preface ... ii
Abstract ... iii
Index ... iv
List of figures ... vi
List of tables ... vii
List of Appendixes ... viii
Abbreviations / Acronyms ... ix
1. Introduction ... 1
1.1 Background and motivation ... 1
1.2 Research question ... 3
2. SpareBank 1 Nord-Norge ... 4
2.1 Risk management ... 5
3. Frame of reference and analytical model ... 7
3.1 Contingency theory ... 7
3.2 Enterprise Risk Management ... 9
3.2.1 Macro benefits of ERM ... 10
3.2.2 Micro benefits of ERM ... 10
3.2.3 The right amount of risk ... 11
3.3 Developing and implementing ERM... 12
3.3.1 Is it successful?... 15
3.4 Laws and regulations ... 16
3.4.1 BASEL III ... 16
3.4.2 Pilar 3 ... 17
3.5 Analytical model ... 17
4. Methodology ... 20
4.1 Research design ... 20
4.1.1 Developing the interview guide ... 21
4.2 Validity and reliability ... 22
4.3 Choosing SpareBank 1 Nord-Norge ... 24
4.4 Conducting the interviews ... 26
4.5 Processing the data ... 27
5. Empirical data ... 28
5.1 View on risk ... 28
5.2 Framework used ... 29
5.3 Development of risk management systems ... 30
5.3.1 Credit risk systems ... 32
5.3.2 Operational risk systems ... 33
5.3.3 Guidelines and policies ... 33
5.4 Implementation of risk management systems ... 34
5.4.1 Credit risk systems ... 34
5.4.2 Operational risk systems ... 36
5.5.1 Standards and regulations... 37
5.5.2 Change of focus ... 38
5.5.3 Development of systems and policies ... 39
5.5.4 Core business... 39
5.6 Summary ... 40
5.7 The future of risk management ... 40
5.7.1 Dynamic markets... 41
5.7.2 Standards and regulations... 42
5.7.3 International framework ... 43
5.7.4 IT development ... 43
6. Analytical chapter ... 45
6.1 View on risk ... 45
6.2 Framework used ... 46
6.3 Development of risk management systems ... 47
6.4 Implementation of risk management systems ... 51
6.5 Changes within the field of risk ... 53
7. Conclusion ... 56
8. Further research ... 58
References ... 59
Books/Articles ... 59
Internet resources ... 60
Appendix ... 61
Appendix 1: Interview guide ... 61
Appendix 2: Transcribed interviews ... 63
Interview 1... 63
Interview 2... 74
Interview 3... 88
Interview 4 (phone interview) ... 104
List of figures
Figure 2.1: SpareBank 1’s organizational chart Figure 2.2: SpareBank 1’s risk management structure Figure 2.3: SpareBank 1’s risk areas
Figure 3.1: Typical market, credit and operational risk distributions
List of tables
Table 4.1 Summary of the interviewees
List of Appendixes
Appendix 1: Interview guide
Appendix 2: Transcribed interviews Interview 1
Interview 2 Interview 3 Interview 4
Abbreviations / Acronyms
BM – Bedriftsmarked (Corporate market) CEO – Chief Executive Officer
CFO – Chief Financial Officer
CobiT – Control Objectives for Information and related technology
COSO – Committee of Sponsoring Organizations of the Treadway Commissions CRD – Capital Requirements Directive
CRM – Customer Relationship Management CRO – Chief Risk Officer
EBA – European Banking Authority EEA – European Economic Area ERM – Enterprise Risk Management EU – European Union
ICAAP – Internal Capital Adequacy and Assessment Process IRB – Internal Rating-Based
LGD – Loss Given Default
PM – Privatmarked (Consumer market) SNN – SpareBank 1 Nord-Norge VaR – Value-at-Risk
1. Introduction
1.1 Background and motivation
It is likely that the risk functions in the bank industry will have gone through fundamental changes by 2025 (Härle et al., 2015). Even though this industry has already gone through many changes the last decade, triggered by the global financial crisis, it does not seem to slow down over the next years. Therefore, it is important for banks to start preparing for this already, if not, they might be very overwhelmed when all the changes hit them. Härle et al.
(2015) suggest six main trends as drivers for these large changes in an article presented by the consulting firm McKinsey & Company, and this is the company’s predictions for the future of the bank industry.
The first trend that banks should be aware of is ‘continued expansion of the breadth and depth of regulation’. Four drivers are suggested for this expansion in the scope regulations. First of all, both the public and government’s tolerance for bank failures have been affected by the global financial crisis of 2008, and they are not willing to use the taxpayers’ money to save banks. The new regulations that came after 2008 was expanding by tightening in on both the micro- and macro-focused regulations. Second, there have come stricter policies for illegal and unethical behavior, as a shift have been made towards financial crime. Thirdly, governments in different countries have started to focus on that both domestic and global organizations need to act in compliance with the countries regulations if they want to do business within their borders.
Lastly, it is also expected the banking industry will have tighter regulations on how to behave towards customers. It is not expected that these changes in the regulations will happen at the same pace and scale in all countries, but Härle et al. (2015) believes that most countries will experience an expansion in regulations compared to what they have today.
Banks also need to take into consideration that the customer’s expectations are currently changing quite a lot. Changes in customer expectations and technologies will likely cause large changes for banks and their profiles. By 2025, Härle et al. (2015) think the use of technology will be more widespread between all customers, both younger and older. This creates an increased need for innovation in technology for the financial industries, as customers will have higher expectations to the technological development. Technological development also makes it easier for customers to change their bank, so the banking industry need to put more focus on building customer relationship and loyalty.
A third trend is that technology and analytics will become more of a risk muscle for banks. The development of new technologies will not only create challenges related to the customers, it can also help banks by creating new risk-management techniques. These techniques are often used together with advanced analytics. Computers and data storage becomes faster and cheaper, which helps in making decision considering risk, and to integrate the risk process in the organization. Although the future innovations are unknown, Härle et al.
(2015) points out three innovations that are already affecting risk management: Big data, machine learning and crowdsourcing.
There are new risk types are emerging within the bank industry, and some of them are nonfinancial. Even though there have been significant advancements in the financial risk management over the last 20 years, nonfinancial risk has not gotten that much focus. But over the last years, the industry has experienced an increase in fines, damages and legal cost related to risk, which have forced attention toward these nonfinancial types of risk. Härle et al. (2015) sees it as probable that this attention will increase over the next years, partly because of the new regulations mentioned earlier. There are also new critical risk types that have emerged, like e.g.
contagion risk, model risk and cyberattacks.
The bank industry will need to make better risk decisions, which can be done through the elimination of biases. For banks, a significant risk is that of making wrong decisions based on unrecognized biases. An important part of understanding this risk is to understand how real humans make economic decisions, as this often include both conscious and unconscious biases, and decisions are also often affected by overconfidence. A lot of work have therefor been put into developing techniques that overcomes such biases. Härle et al. (2015) presents two risk functions that can be applied: bias recognition and elimination techniques.
Lastly, we see a trend for an increased need for strong cost savings for banks. The bank industry has experience a decline in margins for both geographies and product categories, a cost reduction have been important to compensate for this. The decline in margin is however not expected to slow down, rather the opposite, caused by e.g. the tighter regulations (Härle et al., 2015). This creates a pressure on banks to rethink their operational costs, and change their costs systems to be able to reduce the cost and still produce value.
These six trends are indicators as to what changes might be in the future for the bank industry, but there is also a lot of uncertainty. The markets are dynamic, and changes are happening constantly, which affects the risk significantly. This article sparked my interest for
the bank industry and makes it a very interesting industry to study at this point, as these changes will have significant effects on several aspects of banking. Risk management systems are one of those aspects that are affected that I find the most interesting, and I have therefore chosen to focus on this.
1.2 Research question
My motivation for choosing the topic of risk management is to gain a better understanding of how risk managements systems have changed over the last years, including, but not limited to, enterprise risk management. As both risk management and enterprise risk management are large fields, so I have therefore narrowed it down to the development and implementation of the risk management systems. My main research question is therefore:
“How are the risk management systems developed and implemented in SpareBank 1 Nord-Norge?”
To be able to answer this research question, I will answer these sub questions:
i. What is a risk management system and what is known about it in banks?
ii. How are the risk management systems developed in SpareBank 1 Nord-Norge?
iii. How are the risk management systems implemented in SpareBank 1 Nord-Norge?
Enterprise risk management is being used more and more in the financial industry, like banks, but there are different practices presenting themselves. There are different risk management types that together form the risk management mix in the organization (Mikes, 2009). There have been several studies on enterprise risk management in larger banks, like e.g.
Mikes (2009), and Wu and Olson (2010), but the smaller banks have not gotten that much attention in this field. It is therefore interesting to conduct this study of a smaller, regional bank, and see how risk management is implemented and used here, and if there are different findings from those earlier studies in larger banks.
2. SpareBank 1 Nord-Norge
I am focusing on only one bank for the data collection in my thesis, and is therefore doing a single case study. The case I am focusing on is SpareBank 1 Nord-Norge, which is the northern Norway part of the collaborative group SpareBank 1 Gruppen AS. This group is the second largest finance group in Norway. There is a total of 16 Norwegian banks in the collaborative group that was founded in 1996, all acting as independent banks, but with the brand name SpareBank 1 (https://www.sparebank1.no/nb/bank/privat.html, downloaded 21.01.17; SpareBank 1 Nord-Norge, 2017).
SpareBank 1 Nord-Norge (hereafter called SNN) is a regional bank, only focusing on Northern-Norway, and has grown with the local development so that it could become the bank it is today. Some of the industries that SNN is focusing on in northern-Norway is aquaculture, fishing, technology and tourism. This does not mean that SNN is only focusing on corporate customers, as they have around 270,000 private customers and 33,000 corporate customers.
SNN is offering the services payment, savings, loans and insurance. With 38 offices spread within Nordland, Troms, Finnmark and Svalbard in Northern-Norway, in addition to online and mobile services, SNN is very accessible for their customers. SpareBank 1 Nord-Norge is organized after regions, as can be seen in the organizational chart below (figure 2.1). It is a very safe bank at the moment as it has been rated A1 by Moody’s and A by Fitch’s ratings.
(https://www.sparebank1.no/en/nord-norge/about-us/about-us.html, downloaded 21.01.17;
SpareBank 1 Nord-Norge, 2017)
Figure 2.1 SpareBank 1’s organizational chart
SNN went through some major changes last year. In the beginning of the year they sold all their assets in the Russian market to focus back on the Northern-Norway market, which is a part of their strategy. Their visions as a part of this strategy is ‘For Northern-Norway’. They also put down the smallest branches of the bank, but no employees lost their jobs because of this. (SpareBank 1 Nord-Norge, 2017)
2.1 Risk management
SNN prioritizes to have a risk and capital management that supports the organization’s strategies, goals and development, and strive to assure financial stability. The framework for the risk management is based on elements like strategy, organizing and organizational culture, risk and capital management, reporting, follow-up, emergency response plans, and compliance.
Overall, SNN has a goal that the total risk level should be moderate and within the set limits of the strategy. Every quarter the Board presents a summary of the view on total risk for the organization. SNN has a structure to their risk management where they have both internal, external, and independent control organs, as can be seen in figure 2.2 below, and they strive to have very high quality in all of their reporting. (SpareBank 1 Nord-Norge, 2017)
Figure 2.2: SpareBank 1’s risk management structure
When SNN is assessing their customers, they classify them in one of six categories: very
customers, most of them are within the very low or low risk categories. For the corporate market however, most of the customers are within the low or medium risk categories. The different types of risks that SNN encounter is organized within risk areas, and can be seen in figure 2.3 below. They are both calculating the risk within each of these areas, comparing that to the set risk limit for that area, and calculating the total risk based on these areas. (SpareBank 1 Nord- Norge, 2017)
Figure 2.3 SpareBank 1’s risk areas
3. Frame of reference and analytical model
In this chapter, I am going to discuss relevant theories based on already existing literature within the field of risk management and the bank industry. I am now first going to present the frame of reference, and then use this to present the analytical model a bit later in this chapter.
According to Nocco and Stulz (2006) a lot of changes has happened within the field of risk management and the role that it has in organizations the past decades. Thirty years ago, the focus for the risk manager was to purchase insurance and hedging of interest rates and exchange exposures. Since then, risk management has grown to include a much wider range of risk, like operational risk, reputational risk and strategic risk. Mikes (2009) also adds that it has become more common that risk management is a part of the strategic decisions in organizations, especially after the latest financial crisis. Where earlier the risk manager position was a lower- level job, this increased focused has led to many organizations employing a senior executive in the position of chief risk officer (CRO) (Nocco and Stulz, 2006). According to Dickinson (2001), the role of the CRO is to coordinate the management and financing of risk across the organization, so the CRO has to work closely with the chief financial officer (CFO). In financial institutions, the CRO often has an additional responsibility of keeping a close eye on the government authority in charge of regulations.
There are two main ways to manage risk for an organization (Nocco and Stulz, 2006):
1. Only look at one risk at the time, done at a very decentralized basis.
2. To look at all risk together within a framework. This is often called enterprise risk management (ERM).
Before taking a closer look at risk management theory, I am going to look at different factors that are affecting the risk and the risk management systems in an organization, presented through contingency theory.
3.1 Contingency theory
According to Otley (1980), contingency theory is a concept that was first known in the mid-1970’s. It builds on the prerequisite that there is no universal system that will be the best fit for all organizations in all circumstances. Past research done on contingency theory has
emerging aspects of management control systems (Chenhall, 2003). Instead of a universal system, organizations need to look at different factors in their operational context and how these are affecting them to determine the best system for their use. These factors, also called contingencies, include technology, organization structure, external environment, size, strategy and national culture (Chenhall, 2003; Otley, 1980).
Technology is often seen as the most simple and longest established factor, although it can have different meanings within different organizations (Chenhall, 2003; Otley, 1980). It can e.g. refer to the technology used in work processes and is affected by the complexity, uncertainty and interdependence of the task (Chenhall, 2003). Different types of production technology, e.g. small batch vs large batch, and the complexity of the task will affect the internal systems in the organization, especially the accounting systems.
Otley (1980) also suggests that the structure of the organization will affect the organization, especially related to how budgetary information is used. The structure of the organization tells you the roles and tasks of different members and groups, and helps to make sure that all activities are carried out correctly (Chenhall, 2003). Decision-making processes and the choice between e.g. budget-constrained and profit-conscious systems is also a part of the structure, and will affect the performance and efficiency. This should therefore be based on considerations about the field of work and degree of interdependence.
Environment was also presented by Otley (1980) as an important factor in explaining why different systems work best for different organizations, and according to Chenhall (2003), this is the foundation of contingency theory. External environmental factors include how intense the competition is, what type of competition it is, uncertainty, turbulence, hostility, diversity, and complexity, and it can affect different departments within an organization differently (Chenhall, 2003; Otley, 1980).
Chenhall (2003) presents size as an important factor, and argues that organizations that are growing are improving their efficiency and create more opportunities than those that are not. Larger organizations can also control their operational environment in a higher degree, and can therefore reduce the uncertainty. Increasing size can also bring negative effects, as the increased amount of information and complexity may require a higher degree of control, rules and regulations within the organization. The size of the organization will therefore affect what kind of system is the best fit.
Strategy is, according to Chenhall (2003), a bit different from the other factors presented. It is not so much a part of the context as a tool the organization can use to affect the context, especially environment, technology and structure and control. This assumption gives the managers back some power in that they can control some of their operational context.
Different strategies will therefore work better with different management control systems.
National culture, as presented by Chenhall (2003), is an extension to the factors in the original contingency theory. Different countries have different cultures, and people from these cultures will respond differently to the same management control system. A system that works in one country might not work that well in another. As many organizations have become multi- national, they need to consider the effect of the national culture of the country when designing the management control system they are going to use.
3.2 Enterprise Risk Management
Enterprise risk management emerged among organizations in the mid-1990’s as a top- down approach to how you could manage the total risk that faces you (Dickinson, 2001). COSO (2004, in Mikes 2009:20) defined enterprise risk management as
“… a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.
This presents ERM as a strategic management control system (Mikes, 2009).
Mikes (2009:19) also presents enterprise risk management as
“the risk management of everything”,
and suggests that this model is a universal model that all new banks should adopt to, especially because of the god fit with banking regulations and corporate governance. This has led to many banks adopting ERM, and especially the mission and principles of this model. Nocco and Stulz (2006) also argues that organizations that are able to create an effective ERM gain a competitive advantage over those that look at one risk at the time. The reason for this is that these organizations have a consistent and systematic measurement of risk that produces the
organization. This will help the organization in following its strategic plan. A good ERM will also create value at both a macro and micro level. At the macro level, it supports the senior management in managing the tradeoff between risk and return for the entire organization, which helps in maintaining the access to capital markets on other resources needed to implement the strategy and business plan in the organization. At the micro level, the ERM helps both managers and employees at different levels and departments in the organization in evaluating the tradeoff between risk and return, and in owning the material risks. I am now going to take a closer look at these benefits.
3.2.1 Macro benefits of ERM
One very important reason for organizations to manage risk, according to Nocco and Stulz (2006), is to avoid the underinvestment problem. This means that the organization can reduce the probability of having a large cash loss compared to what was expected, as this can lead to less cash allocated to value-increasing investments. This does not mean that all risk should or can be avoided, all organization is exposed to some risk, like changing currencies, interest rates and commodity prices (Nocco and Stulz, 2006). When organizations make decisions on retaining or transferring risk, the principle of comparative advantage in risk- bearing can be a good guideline. If an organization is not able to forecast market variables, it does not have a comparative advantage in bearing the risk that is associated with these variables.
For organization-specific business risks on the other hand, the organization will have a huge advantage as it knows more about these specific risks than any other organization. Using this comparative advantage guideline will remind organizations that they are in business to
“… take strategic and business risk” (Nocco and Stulz, 2006).
Once organizations realize the advantage of certain business risks, the risk management can help the organization in making the most out this advantage.
3.2.2 Micro benefits of ERM
If the total risk in an organization is increasing, Nocco and Stulz (2006) pointed out that this can lead to important projects being passed and disrupt the normal operations. The costs associated with the total risk therefore need to be accounted for when the tradeoff between risk and return is assessed for possible new investments. If the taking on of a new project will
increase the total risk in the organization, it needs to have a sufficiently large return to weight up for this risk and the cost associated with it. A challenge when implementing the ERM is to ensure that this tradeoff between risk and return is taken into consideration for decision-making on all levels of the organizations, and not just for the top management. To cope with this challenge, the evaluation of the risk-tradeoff need to be performed by the project planners for that specific project. This more decentralized approach makes the main focus for the CRO to provide the project planners with the information they need and incentives to take decision that are in accordance with the shareholders’ interests.
3.2.3 The right amount of risk
One of the larger questions regarding risk management is what the optimal amount of risk for an organization to bear is. Nocco and Stulz (2006:11) tells us that when the organization is reducing its risk, it can also reduce
“the amount of expensive equity capital needed to support its operating risks”.
Based on this we can see risk management as a substitute for equity capital. The role of the CRO and the top management then becomes to evaluate the tradeoff between implementing a more active risk management system and having a larger buffer of cash and equity in the organization. If the organization does not have a large buffer, a substantial drop in the cash flow can have large financial disadvantages. Many organizations therefore have a set level of cash flow that they want to maintain, and then build the risk management system around this set value to ensure that the organization does not go under that minimum (Nocco and Stulz, 2006).
Although the risk management system is built around this goal, you can never be a hundred percent sure that the cash flow will not fall below this value, as unexpected events can occur.
The ERM will therefore not eliminate the probability of financial disadvantages, but limit it to a level that the senior management thinks will maximize the value of the organization. By having large investments in treasury bills, an organization can minimize the probability of disadvantages, but this in the best interest of shareholders. Rather the management need to put their focus towards optimizing the risk portfolio of the organization.
If the organization takes on a new risky project or activity, the probability of financial disadvantages will increase together with the expected costs associated with the disadvantage.
Nocco and Stulz (2006) suggest that a possible way to avoid these increased costs is to raise
the cost of the increased risk from this project or activity, is to evaluate how much new capital that need to be raised to eliminate the effect on the probability of financial disadvantage. In theory, this might seem simple, but in practice organizations have many different risky projects at once, and the total risk is also affected by the correlation between these, which makes it much more complicated. Therefore, it is necessary to have enough information about the other projects in the organization in addition to how a new project will contribute to the risk before making a decision.
Nocco and Stulz (2006) point out that for organizations in the finance industry, like e.g.
banks, there is a specific consideration that need to be included when evaluating the cost of financial disadvantages. Financial trouble in the market will have a larger impact on liabilities, like e.g. bank deposits and insurance contracts, for this industry, as it is an important source of value for organizations operating here. Since these liabilities are more sensitive than those in many other industries, financial organizations often set a lower target probability of financial disadvantages.
3.3 Developing and implementing ERM
Mikes (2009) suggests that for financial institutions like banks, ERM should be implemented as a part of the decision-making and management control. According to Nocco and Stulz (2006), a critical part of this implementation is that employees at different levels and departments in the organization all understands how this framework can create value. They also point out that the management need to understand that ERM is not just an academic exercise, rather it is a tool that is important for the execution of the organization’s strategy. To get everyone in the organization to support the ERM, the management need to carefully design the performance evaluation and incentives related to it. This points to ERM being a top-down process, as suggested by Dickinson (2001), and policies and organizational structure is therefore important for a successful implementation. Those employees that work closely with risk need to provide this information to the top management, so that the management can provide policies on how to act on these risks.
Nocco and Stulz (2006), have identified several steps on how to implement ERM and make it work. The first step when an organization wants to use ERM is to identify all the risks it is exposed to. This can be done by identifying the different types of risk that is relevant for the organization and that will be measured. Mikes (2009) calls this risk silo management. For
the banking industry, this often involves to classify the risks it is exposed into one of the three categories market, credit, and operational (Nocco and Stulz, 2006). In this classification, operational risk becomes an all-surrounding category that involves everything that cannot be put into the market or credit risk categories. Even though this is the most common classifications, many organizations have in more recent years also started to include liquidity, reputational, and strategic risks (Nocco and Stulz, 2006). In addition, the classification of market, credit, and operational risks does not fit well for other organizations than banks, even within the financial industry, as these faces different types of risk.
After all the risks that the organization is exposed to is identified, Nocco and Stulz’s (2006) next step is to find a consistent way of measuring how exposed it is to these risks. One approach to this that is commonly used is to quantify all the significant exposures for the organization. By using this approach, the organization secures that the same risk will have the same effect on performance evaluation and decision-making for all the different business units and activities within the organization. Activities with the same risk will then be allocated the same amount of capital, and you avoid tension building up between the employees. For this identification and measuring of risks to be useful for the whole organization, the information possessed by employees on different levels need to be continuously collected and made comparable in an analysis, so that the risk can be managed effectively. A large number of corporate disasters have been caused by organizations that have not thoroughly inventoried their risks, so this is an important, yet time-consuming, step.
Although Nocco and Stulz (2006) presents credit ratings as helpful in relation to the organization’s risk appetite and measuring of how exposed it is to risk, they also point of some limitations that the management need to be aware of. Since credit ratings are based on accounting ratios and subjective judgement, these may not always be the most reliable estimates of the organization’s risk level.
Looking back at the classification of risk in the three categories market, credit and operational risks, an organization will begin the measuring process by measuring the exposure to the risk categories individually (Nocco and Stulz, 2006). Value-at-risk (VaR) has been often been suggested as one way of measuring this (Mikes, 2009; Nocco and Stulz, 2006; Wu and Olson, 2010). According to Mikes (2009:23), VaR is
“… a statistical measure of unanticipated loss, derived from the loss distributions of
Wu and Olson (2010) also presents scorecards (e.g. the balanced scorecard) as a tool to measuring performance and risk, partly because it focuses on strategic goals and measurement, although it is not as commonly used within ERM.
Starting the measuring process, each of the three categories will first have its own VaR measurement, and then these are used to find the organization-wide VaR. The organization- wide VaR will be affected by the correlation between the three categories of risks, which tells us the probability of having high exposure of risk in all categories at the same time. Normally this probability will be low, which mean that the three risk categories are diversified, so the organization-wide VaR will be lower than the sum of the three VaRs. (Nocco and Stulz, 2006) According to Nocco and Stulz (2006), the three types of risk have very different distributions, as can be seen in figure 3.1 below. Market risk have a normal, symmetric distribution, while both credit and operational risk have distributions that are more asymmetric.
The reasons for these differences can be that market risk has a behavior that is similar to that of returns on a portfolio of securities. Credit risk on the other hand is more uncertain, either the creditor pays back everything that it owes, or it does not pay back at all, which can lead to large losses. With operational risk, there is often smaller losses, but number of total losses is larger.
Even though smaller losses are more normal, there is also a chance of larger operational losses, which create the long tail we see in the figure.
Often the relation between the amount of equity capital the organization have set to reach their goal rating and the amount required by regulator is very small. By using ERM, the organization seeks to maximize the shareholder’s value, so the amount will largely exceed the regulatory requirements. The requirements will therefore not affect the decision-making in the organizations, as these are already fulfilled.
Figure 3.1: Typical market, credit and operational risk distributions (Nocco and Stulz, 2006:17)
3.3.1 Is it successful?
So, how can an organization know that their ERM is successfully implemented? Nocco and Stulz (2006) points out that a successful and effective ERM should contribute to a better estimate for the expected value, and increase the understanding of the unexpected losses, but it still does not eliminate all the risk. Therefore, substantial negative outcomes are still a possibility, and the ERM should not be judged on that. The ERM is there to limit the probability of such outcomes to the level set by the top management.
Nocco and Stulz (2006) further looks at how to evaluate how well the CRO is doing.
This can be done by determining if the risk is well understood and managed within the
resources to invest in new projects, as the investors trust its decision. If the investors see that the risk is understood and managed in a good way, they can also distinguish between negative outcomes as a result of bad luck and negative outcomes as a result of bad management.
3.4 Laws and regulations
In addition to the Norwegian law and regulations, Norwegian banks have to fulfill some requirements and follow frameworks from both the Financial Supervisory Authority of Norway, the European Banking Authority and international committees. Two of the requirements that I will shortly present is BASEL III and Pilar 3.
3.4.1 BASEL III
Basel III is a global framework created by the Basel committee, and seeks to make the banking industry more resilient to financial and economic stress (Basel Committee on Banking Supervision, 2010). It builds on the previous Basel I and Basel II frameworks created by the same committee. By making this framework, they hope to reduce the risk of distress in the banking industry affecting other industries as well, as we saw in the financial crisis of 2008, and it is also building on lessons from this crisis. The main goals of this framework are to have better risk management and governance in the banks, and to make them more transparent, which is done through a strengthening of the regulatory capital framework, raising the quality and quantity. A limitation on risk-based capital measures is also presented in the framework, which intend to reduce model risk and errors. The Basel Committee on Banking Supervision (2010) argues that having a more stable bank industry can lead to more sustainable economic growth, as it offers services to both consumers and different sizes companies, as well as the government.
The EBA decided in September 2012 that the requirements in Basel III will be incorporated in the EU’s capital requirement regulations. As Norway is a part of the EEA, the Norwegian banks will also have to follow this regulation (https://www.finanstilsynet.
no/nyhetsarkiv/, 2012). In March 2013, the EU presented their own framework called CRD IV which presents regulations on capital requirements, and this framework builds on Basel III (https://www.finanstilsynet.no/nyhetsarkiv/, 2013).
3.4.2 Pilar 3
Pilar 3 was a recommendation from the Basel Committee in the Basel III framework, but the Financial Supervisory Authority of Norway has made it a requirement for Norwegian banks. It presents a requirement for the banks to make information about capital, risk and the relationship between them public. The purpose of Pilar 3 is to increase the discipline in the market and to make it easier to compare different banks to each other. For different stakeholders, this information will help them evaluating the banks when it comes to risk profile, capitalization, and how they manage and control risk. This information should at least be published once a year with the annual reports, but the banks can choose to publish it more frequently (https://www.finanstilsynet.no/tema/kapitaldekning/, 2017).
3.5 Analytical model
Risk management is a field that have experiences a lot of changes the past decades, and today it is a much wider field than just thirty years ago. There has also been a widening in the number of different types of risk that an organization must consider. How organizations are affected by these different risks, and what type of model or framework is the best fit for coping with these risks is affected by several factors in the organizational context. This is factors like technology, organizational structure, external environment, size, strategy and national culture, and all of these factors could have contributed to the systems you find in an organization today.
Two main ways of working with risk has appeared. The first one is to look at each risk and situation individually, and only evaluate them based on their effect alone. The second one is to look at all the risks the organization is affected by together to find the best composition of different risk. This is often done through the framework of enterprise risk management (ERM), which emerged in the mid-1990’s as a strategic management control system. ERM has often been recommended for banks and the financial industry, and it is therefore the focus of this analytical model.
As said, ERM is presented as a good fit for banks and financial institutions, and has therefore been adopted by many banks. This framework says that risk is not something that should be avoided, instead you need to be able to manage the risk and see the possible effects of the different types of risk for the organization. Banks therefore need to consider the tradeoff between risk and return when evaluating new projects. Finding the optimal amount of risk is
this, you need to consider the tradeoff between implementing a more active risk management system and having a large buffer of cash and equity in the organization. Many organizations have a set level of cash flow that they do not want to fall under as the baseline for this tradeoff.
Banks also have to consider the fact that they are in the center of the financial industry, so financial trouble within any market or industry can affect them.
ERM is suggested to be implemented as a part of both the decision-making and management control, and should be used at all levels in the organization as a top-down process.
In this process, it is important that all employees at different levels understand the model and the values it creates. By doing this, the organization can gain a competitive advantage. These advantages can be at both a macro and micro level. At the macro level, ERM helps with the evaluation of tradeoff between risk and return for the entire organization, avoiding an underinvestment problem, making decisions on whether to retain or transfer risk. At the micro level, ERM helps with the evaluation of tradeoff between risk and return on different levels and departments when assessing new projects, and brings a more decentralized approach to risk management.
There are several steps to follow when developing and implementing the ERM framework. First, the organization needs to identify all the different types of risk it is exposed to. These risks are then classified into different categories like market, credit and operational risk. When this is done, the organization also need to find a way of measuring how exposed it is to the different risk types. Credit ratings can be helpful in this process, but is not always recommended. Value-at-risk (VaR) is another way of measuring the exposure, where you start by looking at the risks individually. If using VaR, all the risk types will then first have their own VaR, which is then used to find the organization-wide VaR. The organization-wide VaR will be affected by the correlation between the individual VaRs, and is therefore often lower than the sum of theses. Even though this work can be very time consuming, it is crucial for the organization that this is done correctly.
It can be difficult to know if the implementation of ERM has been successful. Some indicators can be that the organization has a better estimate for the expected value, a better understanding of the unexpected losses, and a good management of the risk. A successful ERM does however not eliminate risk and unexpected losses, and should therefore not be judged by the appearance of this.
There are also different standards and regulations that banks need to consider. One of these is Basel III, which is a global framework created by the Basel committee, and seeks to make the banking industry more resilient to financial and economic stress. Another is Pilar 3, which was a recommendation from the Basel Committee in the Basel III framework that the Financial Supervisory Authority of Norway made a requirement for Norwegian banks. It presents a requirement for the banks to make information about capital, risk and the relationship between them public.
The analytical model, as presented here, is a summary of the frame of reference, and presents my assumptions and expectations as to what systems they use in banks, and how the process of risk management is performed. My assumptions are that the ERM framework is used in banks, as it is presented as a good fit for organizations within the financial industry. Further it is implemented in the whole organization at all levels, there is a good information flow both up and down in the organization, and the organization’s strategy is a part of this process. Several of the steps on how to develop and implement ERM is to be followed, especially how to identify and measure the exposure to the different risk types. This can help all the employees in evaluating possible customers and projects, see how these will affect the total risk in the company, and make decisions about them. In addition, standards and regulations like Basel III and Pilar 3 will be taken into consideration when developing and implementing the risk management systems.
4. Methodology
Looking back at the introduction chapter, I presented 3 sub questions to my research question. Those were:
i. What is a risk management system and what is known about it in banks?
ii. How are the risk management systems developed in SpareBank 1 Nord-Norge?
iii. How are the risk management systems implemented in SpareBank 1 Nord-Norge?
The first question is theoretical, and will be answered through secondary data such as published academic papers on the topic, mainly studies done on banks. This was done in chapter 3. The second and third question will be answered through primary data collection in the form of interviews with key employees at SpareBank 1 Nord-Norge, in addition to secondary data such as annual reports. I also want to clarify that I am not going to look at how this process is done in the whole bank, only in the risk department of SpareBank 1 Nord-Norge. Key employees are therefore referring to those working in the risk department office. How this is done is presented in this chapter, and the results from the collection of primary data is presented in the next chapter, with secondary data, as the annual reports, being used to add to and complement the findings in the interviews.
4.1 Research design
Easterby-Smith et al. (2012) tell us that the research design is about organizing research activity, including the collection of data, in the ways that are most likely to achieve the researcher’s goals. Therefore, research design is based on the research components, which were used to search the answers to questions about the study.
I have chosen a qualitative research design, in the form of semi-standardized interviews.
According to Easterby-Smith et al. (2012), this type of research includes significant components such as the researchers experience, and his or her knowledge and intuition. The advantage of qualitative interviews is that you can go more in depth, and in that way uncover more of the meanings, motives and understandings behind the actions of the interviewee. If something is unclear to your interview object, you are there to explain it to them, so you may get more representative answers than with quantitative methods.
According to Hopf (2004, p. 203-204), semi-standardized interviews mean that you have an interview guide with topics you need to cover, but the interviewer has more freedom when it comes to formulating the questions and the order of them throughout the interview.
This way, you have the possibility to go more in depth on topics that seem interesting or important to the person you interview, or areas that you find out that they have significant knowledge about. This possibility was the main reason that I chose semi-standardized interviews as my research method.
Within the research design, I have also chosen to do a single-case study. This kind of case study can be relevant under five circumstances: the case is critical for your theory, the case is unusual in that it deviates from the theory, the case is common in that it represent everyday situations and its conditions, the case is revelatory in that you gain access to a previously inaccessible case or phenomenon, and the case is longitudinal in that you study the same case at different points in time (Yin, 2004). The way that a single-case study is relevant for me is that the case is unusual in that it deviates from the theory. This is because my case organization is of smaller size than those in earlier studies, and it operates in a different market. In earlier studies the organizations are operation within a whole country or several countries, while SNN only focuses on a region within a country, and it will be interesting to see if there are some differences based on this.
According to Yin (2014) there are two types of single-case study designs: holistic and embedded. A holistic design means that you study the whole organization or program and its nature. An embedded design means that you study subunits within an organization or a program.
My study can be said to have an embedded single-case design as I only look at the risk department of SpareBank 1 Nord-Norge, which then become my subunit.
4.1.1 Developing the interview guide
While developing the interview guide, my focus is to make a guide that cover the main areas that I want to include in the interviews, but still keep it open enough so that I can customize it to the different people that I am going to interview. As the interviewees have different responsibilities and roles in SNN, more focus is put on some topics than others during the different interviews. Because I presented both my study, asked about the possibility to record the interviews and told about anonymity during the e-mail exchange before the
interviews, that is not a part of the interview guide. The finished interview guide can be found in appendix 1.
The interview guide starts with a few general questions. I find these relevant as how long they have worked there will affect how much experience they have, and it gives an indicator as to what changes in risk management during the years they may have been a part of.
Their main responsibilities or area they work with is included, as this will give an indicator to what they do on a daily basis. In addition, it is interesting to see if there are differences between responsibility area and the answers on some of the other questions in the interview.
Risk understanding is one of the areas where I find it interesting to see if the answers is differing between the interviewees. In addition, how they view risk will affect a lot of the work they do, and is therefore important to establish. I have also included a question about the framework being used here, as this can affect both the view of the risk, how they understand risk and risk management, and also the development, implementation and use of risk management systems.
The development, implementation and use of the risk management systems are the most important parts of the interview guide, as these are a large source to answering my research question. I seek to get an understanding as to how these processes are being performed, who is involved and if there are differences between departments and markets.
Ending the interview guide, I want to include a few questions about what the interviewees think about the future for risk management, how it will develop and change, both in the literature and the standards and regulations. I choose to include these as there have been a lot of changes, and there are a lot of different thoughts on how it will be in the future, and it is interesting to see what someone that is actually working with this thinks about it.
As all the interviewees are Norwegian, the interviews are being held in Norwegian and then translated by me for the transcribed interviews that can be found in the appendix. The same applies for the interview guide.
4.2 Validity and reliability
To judge the quality of a research design, tests for validity and reliability are often used.
Validity is generally about how well the data collected represent the phenomenon you are studying, or how relevant it is for the phenomenon (Johannessen et al., 2011:73). Reliability is
a test of the accuracy of the research data, what kind of data is used and how it is collected and how it is processed (Johannessen et al., 2011:44). According to Yin (2014), there are three different test that can be used for testing the validity: construct validity, internal validity and external validity.
Construct validity means
“identifying correct operational measures for the concept being studied”. (Yin, 2014:46)
To do this, it is necessary to first define the concept that are going to be studied, and then find the correct way to measure this concept. The construct validity can be increased by having multiple sources and a good chain of evidence (Yin, 2014). The concept I am going to study is defined in the research question, and is the development and implementation of risk management systems. I am going to measure it by the results of the interviews with people working with this concept. By having multiple interviews about the same topic and recording the interviews, I hope to increase the construct validity of my study.
Internal validity is
“seeking to establish a causal relationship, whereby certain conditions are believed to lead to other conditions, as distinguished from spurious relationships”. (Yin, 2014:46) This is mainly a concern when there is an exploratory study, which means that the study try to explain why one event lead to another (Yin, 2014). As I am not doing an exploratory study, I focus on finding out how a process is done and not a cause-and-effect relationship, this does not so much apply for my study.
External validity is
“defining the domain to which a study’s findings can be generalized”. (Yin, 2014:46) This test if the results from the study are generalizable, or if they only apply for this singular study (Yin, 2014). For my study I am only studying one organization, so based on that, the result might not be generalizable. But I am studying ‘how’ this concept is developed and implemented in that organization, the concept being risk management system, which is something many organizations have to deal with. Based on that, the results can apply for other organizations as well.
Reliability is
“demonstrating that the operations of a study – such as the data collection procedures – can be repeated with the same results”. (Yin, 2014:46)
This means that another researcher should be able to repeat the study, and do it on the same case, and get the same results and conclusions as the first researcher. It is therefore important for the researcher to document what has been done (Yin, 2014). During my data collection, I was keeping notes of all the stages concerning the development of the interview guide, and the finished interview guide is attached to the thesis. I also kept notes of the process of contacting the interviewees. The choice of the case company was done based on that it was within the size and type of organization and wanted to study, while the choice of interviewees was based on access within the organization. I was both taking notes during all the interviews and recording them, and then transcribing them afterwards, so that the whole process would be documented.
By doing this, I hope to have covered every step need for the reliability of my research to be tested and approved.
Overall, I think that my study can withstand the test for validity and reliability. External validity is the only test very I think there can be some problems, but this study was not meant to be generalized for all banks, it was meant as a study of how a Norwegian bank is working compared to the international banks in previous studies, and that is what I hope will come through.
4.3 Choosing SpareBank 1 Nord-Norge
My case organization is SpareBank 1 Nord-Norge. SNN is working on a regional basis and therefore becomes a smaller actor in the banking and risk industry. I find it interesting to see how they relate to risk management and if the size of the organization affects this. As most of the studies already done on risk management is on banks that are larger than SNN, my motivation for choosing this bank is to see if what studies done on larger and often international banks have found can to relate to how a smaller bank is working with the same topics and issues. Questions I have asked myself when making this choice is what similarities and discrepancies, if any, will there possibly between the results of these existing studies and my thesis, and is there any discrepancies in how they view risk.
Even though SNN is a part of a bigger collaborative group, they act as an independent bank, so the findings from this thesis can be interesting for both departments of larger banks, and other smaller banks like SNN. I aim to find out if this affects how they look at risk, how much risk they are willing to take, the quality of the risk management systems, and how much resources they put into this work. Through interviews with key employees in SNN’s risk department, I hope to gain knowledge about this.
To gain access to key employees, I contacted SNN through e-mail and presented the study I wanted to do and myself, and in that way I got in touch with one of the leaders at the risk management department. He then presented people that it would be relevant for me to interview, and was the coordinator for the interviews. These people were all within the risk department, but at different levels and with different responsibilities and areas of expertise.
SNN’s risk department is located in Tromsø, and I therefore travelled there to be able to have the interviews in person. A summary of the interviewees, what their main responsibilities or tasks are, how many years of experience they have with working in a bank, and how many years of experience the have with working with risk management in SpareBank 1 Nord-Norge can be found in table 4.1 below.
I was originally going to have four interviews there the day that I travelled to Tromsø, but as one of interviewees were sick that day, three interviews were held in person and the last interview was done over the phone. I did not have any direct contact with the interviewees before the interviews, all contact was done through the leader I first got in touch with.
Main responsibilities or tasks
Years of experience in banks
Years of experience with risk management Interviewee 1 Credit risk, credit
models and risk management within this.
Not mentioned, but long history of different
functions within banks.
Over ten years.
Interviewee 2 Operational risk and system development
within this.
Five and a half years. Two and a half years.
Interviewee 3 Leader of risk management and IT.
34 years. Ten years.
Interviewee 4 (phone interview)
Credit quality on an overall level and follow-
up of this towards the bank chiefs and
consultants.
14 years. Nine years.
Table 4.1 Summary of the interviewees
4.4 Conducting the interviews
I travelled to Tromsø to be able to conduct the interviews face to face. The interviews were held at a meeting room in their office where we could be free for interference. I experienced many benefits from having the interviews face-to-face, as I could see their facial expressions and it was easier to notice which topics they had more knowledge about and was most interested in talking about. Because of this interaction, the interview guide was not always fully followed, and instead I followed the natural path of the interview. In addition, some of the interviewees had prepared a presentation or brought some slides to show me, so then the interview focused around that first. During to phone interview, I found this part a bit more difficult. Even though all the interviews were recorded (with consent), I was taking notes during them to keep an overview over the topics we had talked about, be able to ask follow-up questions, and it helped me to see the connections when I was transcribing the interviews and it will also help me analyzing them.
As all the interviewees were to be kept anonymous, they are just called interviewee 1, interviewee 2, interviewee 3 and interviewee 4 in the transcribed interviews, which have been shortened to I1, I2, I3 and I4, and that is how I refer to them in the empirical data and analysis chapter. When I am speaking in the interviews, it can be seen in the transcribed interviews as M, which refers to ‘me’. All the transcribed interviews can be found in Appendix 2.
4.5 Processing the data
When all the interviews were conducted, I started the work of processing them. As I had recorded all the interviews, I started with listening to the interviews and writing down, in Norwegian, what was said word by word in all of them. After I was done with this, I started translating what I had written down to English, and this is what can be found in the appendix.
The transcribed interviews where then used for the empirical chapter and the following analysis, which can be found in the two next chapters. I divided it into different topics, and then looked at what was said about that in the different interviews. I especially looked for if the different interviewees agreed on the different topics, or if they expressed different opinions during the interviews. Not all topics were covered or talked that much about in all the interviews, and therefore not all interviewees will be represented within all topics in the analysis.
5. Empirical data
I am now going to present my empirical findings on how the process of developing and implementing risk management systems is actually done in SpareBank 1 Nord-Norge in accordance with my analytical model presented chapter 3. This will be done through different topics that was discussed during the interviews. As I have only studied one department in one bank, the results of these empirical findings cannot be generalized, but it may help in gaining an understanding of how these processes is done in these kinds of banks.
5.1 View on risk
As several of the interviewees expressed, risk is a big part of the daily operations of banks, and I1 said that
“…the whole concept bank consists of charging to take risk.”,
so being in the bank industry, it is not possible to avoid risk. The dangerous part comes if someone does not understand a risk or someone does not have a total overview over it, because then it is difficult to know how it can affect the organization. I4 expressed it in this way:
“To say it like this, as long as we know the risk and know how to handle it, it is okay with risk. But don’t misunderstand in the way that I am not searching for risk. But risk that we understand and can handle, that is in a way the short version of bank”.
I2 also expressed, related to credit risk, that
“... credit loss is in a way what we a live by, we give loans and we know that not everyone is going to pay back, that is a bank is always going to have losses, if not you have some very unlikely luck. So it is a part of the business. In my role that is not a weakness or a problem, it is just a part of the daily operations”.
As risk is so much a part of a banks daily operations, it can be a problem if the organization is not able to take advantage of the opportunities and risk that it faces. I3 said that, when asking new employees about what the largest risk in a bank is,
“Most people say that it is credit, it is liquidity, it is making money, but the largest risk might be that you are not able to take care of the market opportunities every day.
Because if we are not able to have a healthy growth we will die, then we will not be able to earn equity, so to be in the market and have a healthy growth all the time, that is
